Push for passport chips sparks security concerns

A passport that sends out unencrypted broadcasts of personal information to any device that can receive it doesn't strike Cleveland information security experts as a good idea.
But the U.S. Department of State is pressing ahead with its plan to put RFID chips in passports, although a department spokesman insists the government will address the privacy and security concerns that have been raised by security organizations and others including the Association of Corporate Travel Executives, which is based in Alexandria, Va.
RFID, or radio frequency identification, chips are small devices that broadcast information to a machine with a scanning antenna. They've been used for years in keys that unlock car doors with the push of a button and are being adopted widely for inventory control.
Wal-Mart has been asking its biggest suppliers to adopt the technology. Closer to home, the North Canton Public Library in Stark County uses RFID chips when patrons check out books and other materials and to provide better security and inventory control. Other Ohio libraries have been studying the technology.
The State Department argues that including RFID chips in passports would make the passports themselves more secure and would allow officials to read passports quickly and accurately, speeding travelers through checkpoints.
RFID chips in passports currently are being field-tested with flight crews, said State Department spokesman Kurtis Cooper. The State Department plans to start putting RFID chips in diplomatic official passports this fall and to start putting them in ordinary passports sometime next year, he said.
Bill Mathews, technical officer for Independence computer security firm Hurricane Labs LLC, said the concerns about RFID chips in passports are valid.
"Think about the problems that exist securing data across a hard line. It is not an easy thing to do," Mr. Mathews said. "It is made that much harder by wireless because it is a broadcast signal put out there for all to receive."
"If the idea is for convenience screening of passengers to move lines along, it's probably a great idea," he said. "The problem is that security and convenience seldom play nice together."
Daniel DeSantis, chief technical officer of BlueBridge Networks LLC in downtown Cleveland, said a tool called RFDump already has been invented to allow anyone to detect RFID tags and show their information.
"I would be very concerned about the use of RFID technology for the handling of private personal information," Mr. DeSantis said.
Bruce Schneier, a nationally known technology security expert and author, argues the proposal in effect means Americans traveling abroad will broadcast their names, ages, addresses and other information to any device that can read the RFID chip - making it easy for terrorists or criminals to pick them out of a crowd.
The Association of Corporate Travel Executives surveyed its members on the RFID proposal and reported that 93% of respondents were against the idea.
Mr. Cooper insisted State Department officials have been listening to the criticisms and will address them. Officials made a point of soliciting public comments and have been listening to them carefully, he said. Without providing specifics, he said the government will not begin widely issuing passports with RFID chips until it has found a way to satisfy critics.
There are plenty of suggestions on how to do that.
Mr. Schneier said one idea would be to put a button in passports so that the RFID chip would not work until the passport holder activated it or to use a device that would require the passport to touch a machine before it transmits the information.
Mr. Mathews also said he thinks a swipe card would be a good idea, as long as the federal government carried out the idea correctly. "The problem is the federal government is the worst at securing its systems," he said.
Mr. DeSantis suggested encrypting the RFID signals so that only the proper people can read them, and said the government should use read-only RFID chips. RFID chips that allow the information to be altered would invite forged passports, he explained.
Mr. Schneier said he sympathizes if the government wants to be able to use RFID chips so passports can carry more information, but he said the changes shouldn't be made in a way that creates more risk for passport holders.
"My whole problem is surreptitious access," he said.